0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe
Size

328KB
MD5

7abb738b1a9ed9733204d19e102963e0
SHA1

64cf8bdd498c4192dddfbbcfec385f16aab7e3e7
SHA256

0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c
SHA512

91103dd186218b173c0d5d17911be890a33304ebf839bae4b77f11fd1db3bdb533458b88adc06af2551926729842ef3667b82dfb17af8240185dd4bc4832279f
SSDEEP

6144:J2XgY8FFX7Z6A/P352p4gFs/e8PeAZuon2T5T7UcIGMAQTeJ:J2X1cFx/PAp4ks/e6Fn2dEZGjQSJ

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\conhost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe

Executes dropped EXE 4 IoCs

pid	Process
2808	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe
3956	conhost.exe
3792	conhost.exe
4892	conhost.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2808-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2808-10-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2808-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2808-37-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4892-47-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4892-54-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4892-51-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2808-59-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3792-63-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4892-64-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4892-66-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4892-69-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4892-71-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4892-73-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Console Window Host = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\conhost.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 2808	1524	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	99
PID 3956 set thread context of 3792	3956	conhost.exe	106
PID 3956 set thread context of 4892	3956	conhost.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3300	reg.exe
3276	reg.exe
2388	reg.exe
780	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 1	4892	conhost.exe
Token: SeCreateTokenPrivilege	4892	conhost.exe
Token: SeAssignPrimaryTokenPrivilege	4892	conhost.exe
Token: SeLockMemoryPrivilege	4892	conhost.exe
Token: SeIncreaseQuotaPrivilege	4892	conhost.exe
Token: SeMachineAccountPrivilege	4892	conhost.exe
Token: SeTcbPrivilege	4892	conhost.exe
Token: SeSecurityPrivilege	4892	conhost.exe
Token: SeTakeOwnershipPrivilege	4892	conhost.exe
Token: SeLoadDriverPrivilege	4892	conhost.exe
Token: SeSystemProfilePrivilege	4892	conhost.exe
Token: SeSystemtimePrivilege	4892	conhost.exe
Token: SeProfSingleProcessPrivilege	4892	conhost.exe
Token: SeIncBasePriorityPrivilege	4892	conhost.exe
Token: SeCreatePagefilePrivilege	4892	conhost.exe
Token: SeCreatePermanentPrivilege	4892	conhost.exe
Token: SeBackupPrivilege	4892	conhost.exe
Token: SeRestorePrivilege	4892	conhost.exe
Token: SeShutdownPrivilege	4892	conhost.exe
Token: SeDebugPrivilege	4892	conhost.exe
Token: SeAuditPrivilege	4892	conhost.exe
Token: SeSystemEnvironmentPrivilege	4892	conhost.exe
Token: SeChangeNotifyPrivilege	4892	conhost.exe
Token: SeRemoteShutdownPrivilege	4892	conhost.exe
Token: SeUndockPrivilege	4892	conhost.exe
Token: SeSyncAgentPrivilege	4892	conhost.exe
Token: SeEnableDelegationPrivilege	4892	conhost.exe
Token: SeManageVolumePrivilege	4892	conhost.exe
Token: SeImpersonatePrivilege	4892	conhost.exe
Token: SeCreateGlobalPrivilege	4892	conhost.exe
Token: 31	4892	conhost.exe
Token: 32	4892	conhost.exe
Token: 33	4892	conhost.exe
Token: 34	4892	conhost.exe
Token: 35	4892	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe
Token: SeDebugPrivilege	3792	conhost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1524	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe
2808	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe
3956	conhost.exe
3792	conhost.exe
4892	conhost.exe
4892	conhost.exe
4892	conhost.exe
4892	conhost.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2808	1524	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	99
PID 1524 wrote to memory of 2808	1524	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	99
PID 1524 wrote to memory of 2808	1524	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	99
PID 1524 wrote to memory of 2808	1524	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	99
PID 1524 wrote to memory of 2808	1524	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	99
PID 1524 wrote to memory of 2808	1524	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	99
PID 1524 wrote to memory of 2808	1524	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	99
PID 1524 wrote to memory of 2808	1524	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	99
PID 2808 wrote to memory of 4576	2808	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	100
PID 2808 wrote to memory of 4576	2808	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	100
PID 2808 wrote to memory of 4576	2808	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	100
PID 4576 wrote to memory of 512	4576	cmd.exe	103
PID 4576 wrote to memory of 512	4576	cmd.exe	103
PID 4576 wrote to memory of 512	4576	cmd.exe	103
PID 2808 wrote to memory of 3956	2808	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	104
PID 2808 wrote to memory of 3956	2808	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	104
PID 2808 wrote to memory of 3956	2808	0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe	104
PID 3956 wrote to memory of 3792	3956	conhost.exe	106
PID 3956 wrote to memory of 3792	3956	conhost.exe	106
PID 3956 wrote to memory of 3792	3956	conhost.exe	106
PID 3956 wrote to memory of 3792	3956	conhost.exe	106
PID 3956 wrote to memory of 3792	3956	conhost.exe	106
PID 3956 wrote to memory of 3792	3956	conhost.exe	106
PID 3956 wrote to memory of 3792	3956	conhost.exe	106
PID 3956 wrote to memory of 3792	3956	conhost.exe	106
PID 3956 wrote to memory of 4892	3956	conhost.exe	107
PID 3956 wrote to memory of 4892	3956	conhost.exe	107
PID 3956 wrote to memory of 4892	3956	conhost.exe	107
PID 3956 wrote to memory of 4892	3956	conhost.exe	107
PID 3956 wrote to memory of 4892	3956	conhost.exe	107
PID 3956 wrote to memory of 4892	3956	conhost.exe	107
PID 3956 wrote to memory of 4892	3956	conhost.exe	107
PID 3956 wrote to memory of 4892	3956	conhost.exe	107
PID 4892 wrote to memory of 656	4892	conhost.exe	108
PID 4892 wrote to memory of 656	4892	conhost.exe	108
PID 4892 wrote to memory of 656	4892	conhost.exe	108
PID 4892 wrote to memory of 4160	4892	conhost.exe	109
PID 4892 wrote to memory of 4160	4892	conhost.exe	109
PID 4892 wrote to memory of 4160	4892	conhost.exe	109
PID 4892 wrote to memory of 1768	4892	conhost.exe	111
PID 4892 wrote to memory of 1768	4892	conhost.exe	111
PID 4892 wrote to memory of 1768	4892	conhost.exe	111
PID 4892 wrote to memory of 4504	4892	conhost.exe	113
PID 4892 wrote to memory of 4504	4892	conhost.exe	113
PID 4892 wrote to memory of 4504	4892	conhost.exe	113
PID 1768 wrote to memory of 3300	1768	cmd.exe	116
PID 1768 wrote to memory of 3300	1768	cmd.exe	116
PID 1768 wrote to memory of 3300	1768	cmd.exe	116
PID 656 wrote to memory of 780	656	cmd.exe	117
PID 656 wrote to memory of 780	656	cmd.exe	117
PID 656 wrote to memory of 780	656	cmd.exe	117
PID 4160 wrote to memory of 3276	4160	cmd.exe	119
PID 4160 wrote to memory of 3276	4160	cmd.exe	119
PID 4160 wrote to memory of 3276	4160	cmd.exe	119
PID 4504 wrote to memory of 2388	4504	cmd.exe	118
PID 4504 wrote to memory of 2388	4504	cmd.exe	118
PID 4504 wrote to memory of 2388	4504	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NJKVS.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Console Window Host" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /f
      4⤵
      Adds Run key to start application
      PID:512
- - C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3792
  - - C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:656
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:780
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4160
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3276
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3300
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c_NeikiAnalytics.exe

Filesize
328KB

MD5
7abb738b1a9ed9733204d19e102963e0

SHA1
64cf8bdd498c4192dddfbbcfec385f16aab7e3e7

SHA256
0b64b4bb7c2b0fe29be6a166fd770a280b3be4a967376d610d1839ecd62d5d7c

SHA512
91103dd186218b173c0d5d17911be890a33304ebf839bae4b77f11fd1db3bdb533458b88adc06af2551926729842ef3667b82dfb17af8240185dd4bc4832279f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NJKVS.txt

Filesize
154B

MD5
0d0a854e96bddf0e7df7f5f024674226

SHA1
f45ca9c7f935422ddfb0550febdfc7a09baf2d98

SHA256
5bab0b5c3ef8a28a7246854074a5a469c602a10ac803d18f2102399597d35907

SHA512
8b6db387b3bb5774c691bcdd4d9f3a147e1556eee89fe1de929464510c01b14495157c14cbb355fc850b79dee500b8be7ae7a0c3b5ea0916d6eb9154f9ae73a8

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe

Filesize
328KB

MD5
26d8fd44761257d664cfbb7865616d06

SHA1
69af8e436d794709b22c4f8e1e48f27d67321f0a

SHA256
5193f7542e0893672701a86e35d95d1f45ab8366fc4eeefb545e89979dbd7d9b

SHA512
74c9e27776c73e943a4da27ecf3288f6aee5fad180dc4d861fea4425c95f7dc6bb56f27d7f5c04bc23c17b2c4e7a3385fde0eef5722e1f11827578b7c29e0f44

Download Submit
memory/1524-6-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/1524-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1524-4-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/1524-2-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1524-3-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2808-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2808-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2808-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2808-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2808-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3792-63-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3956-56-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3956-38-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4892-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4892-51-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4892-47-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4892-64-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4892-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4892-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4892-71-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4892-73-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads